Updated UK Cookie Law Could Confuse Some

Are Internet “cookies” really all that bad? Well, they are when they generate unwanted email messages and advertising. Sometimes people land on certain Web pages by mistake, but that doesn’t stop the site from sending a cookie to each person’s computer. Well, the UK’s Information Commissioners Office (ICO) has decided to put an end to…

Are Internet “cookies” really all that bad? Well, they are when they generate unwanted email messages and advertising. Sometimes people land on certain Web pages by mistake, but that doesn’t stop the site from sending a cookie to each person’s computer. Well, the UK’s Information Commissioners Office (ICO) has decided to put an end to random cookie setting.
A cookie, as defined by the ICO in its guidance, is a small file, typically of letters and numbers, that’s downloaded onto a device when a user accesses a certain website. Every time a user visits that website, a cookie is sent back to it. Basically, cookies help websites to recognise individual devices.

On 26 May 2012, the ICO implemented an updated version of the cookie law that it had established in May 2011, requires websites to inform site visitors that cookies will be set to their devices and then give them the option to refuse having those cookies set. A year later and most websites are still non-compliant.

The updated law seeks to give individual consumers some modicum of control over their personal information by allowing them the option to say no to having their personal information collected and stored by various and sundry websites. It sounds simple enough, but when the law starts talking about “implied consent”, the waters start to get a little murky.

Here’s how the ICO’s guidance explains implied consent:

For implied consent to work there has to be some action taken by the consenting individual from which his consent can be inferred. This might, for example, be visiting a website, moving from one page to another, or clicking on a particular button. The key point, however, is that when taking this action, the individual has to have a reasonable understanding that by doing so he is agreeing to cookies being set.

Ambiguity aside, website administrators are supposed to have some kind of announcement posted on their sites letting visitors know that cookies could be set on their devices and what they can do to prevent that from happening. What’s important to note here is the fact that most UK Web users don’t know that this cookie law exists or what a cookie is and how it operates.

UK IT services providers and consultants have an opportunity to protect their existing clients and engender goodwill among prospects by making it known that non-compliance with this law will soon bear a hefty financial penalty.

Over the past year, website owners’ non-compliance has gone unpunished. The ICO is willing to be patient and give businesses and other website owners more time to achieve compliance. But eventually, the ICO could fine non-compliant website owners as much as £500,000 (approximately $779,000 at current exchange rates) for this violation.

Rather than fool around with trying to figure out when the implied consent rule applies, UK business leaders whose websites use cookies might want to go with explicit consent. This would ensure that they meet the ICO’s compliance requirements and prevent their being fined half a million pounds.